also, defender is synchronous by default (e.g. nothing gets written until it gets scanned, and scanning parallelization is limited), and can only act asynchronously (aka write first, then queue check) on "trusted dev drives" (aka ReFS-based virtual vhdx partitions aimed at developers as a solution to horrible ntfs throughput, especially if defender is enabled)
Not true, it does get written before it gets scanned. In fact, it doesn't even always scan before the file is read by explorer (yes, it's the worst AV ever). It's easy to prove this, just extract FFF's WinRAR keygen and you'll see what I mean.